It is a good idea to execute cfengine by getting cron
to
run it regularly. This ensures that cfengine will be run even if you are
unable to log onto a host to run it yourself. Sometimes however you
will want to run cfengine immediately in order to implement a change in
configuration as quickly as possible. It would then be inconvenient
to have to log onto every host in order to do this manually. A better
way would be to issue a simple command which contacted a remote host and
ran cfengine, printing the output on your own screen:
myhost% cfrun remote-host -v output....
A simple user interface is provided to accomplish this. cfrun
makes a connection to a remote cfd-daemon
and executes cfengine on that system with the privileges of the
cfd-daemon (usually root
). This has a two advantages:
A potential disadvantage with such a system is that malicious users might be able to run cfengine on remote hosts. The fact that non-root users can execute cfengine is not a problem in itself, after all the most malicious thing they would be able to do would be to check the system configuration and repair any problems. No one can tell cfengine what to do using the cfrun program, it is only possible to run an existing configuration. But a more serious concern is that malicious users might try to run cfengine repeatedly (so-called `spamming') so that a system became burdened with running cfengine constantly, See section Spamming and security.
Go to the first, previous, next, last section, table of contents.